Privacy-friendly QR codes for identity

Retour à la liste des conférenciers et sessions
Écoutez la diffusion
Presenting personal information in the form of a QR code has become a daily reality for many during the Covid pandemic: in Quebec, people showed their immunization information using the government-issued VaxiCode, a SMART Health Card (SHC) credential that follows a medical standard adopted in Canada and in many other countries. The paradigm of presenting information about oneself can easily be generalized beyond this health scenario. In this presentation, I’ll first give an overview of the SHC framework, focusing on its security features and describing its deployment in Canada. I’ll then present a generic framework to issue QR codes that can encode attributes of any type. I’ll introduce a strong privacy feature allowing users to only disclose a subset of the encoded attributes, addressing one of the main privacy critiques of SHCs. Finally, I’ll give a demonstration and describe the open-source specification and reference implementation for this generic framework.

Outline of the presentation:

  • SMART Health Card (SHC)
  • Overview of the SHC framework, and of its overseeing organization VCI
  • Security analysis of SHC, including: key management, cryptographic signatures, revocation of issuers and SHCs, and trust establishment (trusted issuer directory and auditing)
  • Claims QR
  • Presentation of the Claim QR framework for generic attributes
  • Hash-based mechanism for selective disclosure of attributes
  • Overview of the open-source specification and reference implementation
  • Demo (issuance and validation of generic attributes)
  • Q&A

Christian Paquin Principal Research Software Engineer, Microsoft Research

Christian is a security specialist in the Microsoft Research Cryptography team with a mission to bridge the gap between academic research and real-world systems. With 25 years of experience, Christian has been involved in many industry-wide initiatives such as the development of privacy enhancing identity technologies (such as anonymous credentials), the ongoing post-quantum cryptographic migration, and the Coalition for Content Provenance and Authenticity (C2PA) to fight online disinformation. Christian shares some of his work results on his blog: https://christianpaquin.github.io